Guys what is wrong with ACATS

Patrick McKenzie (patio11)
Guys what is wrong with ACATS

Many beginnings imply a contemporaneous ending. This is often bittersweet. Some personal news implies a tearful goodbye to soon-to-be-former coworkers. A new adventure of scholasticism and self-discovery means saying goodbye to your high-school friends. And a new brokerage account often implies leaving a years- (or decades-!) long relationship with a firm that stuck with you, feels a bit like a jilted lover, and by the way happens to constructively control most of your net worth.

This particular beginning and ending is mediated by a complex techno-legal system called ACATS: the Automated Customer Assets Transfer System. ACATS is quite impressive, underpins a very important part of the financial system, and some of the quirks of how it operates will probably surprise you.

The title of this issue is a play on an AI-generated song. Infohazard warning about which I am being absolutely serious: you probably have the experience of a song being an “earworm” that you cannot get out of your head. This song is not simply an earworm. It is auditory superstimulus, like the Dorito, carefully designed to taste like nothing in nature. Unlike the Dorito, which someone is guilty of, this song either has no author or has all the authors. I think if you say the words “my cat” to me when I am on my deathbed I will immediately hum three notes. With that very important caveat out of the way, if you want to be mimetically infected as the price of getting this reference, take a listen at Sono here.

A brief digression into self-regulatory organizations

Brokerages are regulated by FINRA. FINRA stands for many things, though these days FINRA might deny that it is an acronym. In previous years, though, it was definitely the Financial Industry Regulatory Authority. One reason FINRA is not an acronym, to the extent it is not an acronym, is that an unsophisticated investor might hear that and assume “Ah yes, FINRA is clearly part of the government” and FINRA will immediately swear up, down, and sideways they are not. They are just a financial regulator overseeing trillions of dollars.

Self-regulatory organizations (SROs) are industry associations. There are many industry associations in the world.

Some pool money to pay for a-rising-tide-lifts-all-bovines advertising. Some exist to get peers together for merriment, diversion, and some conspiracy against the public. (This is a joking reference to a famous passage from Adam Smith. On a completely unrelated note, please feel free to introduce yourself if you see me at a software conference. I’ll be doing a talk about raising prices.)

SROs are the type of industry associations that partially exist as a blocking play. If we don’t get our house in order, Dangerous Professionals from the government are going to barge into our house to order it for us. That will be disruptive to providing valuable services to customers at a price they are willing to pay.

FINRA regulates asset transfers between brokerages

Discount brokerages are large, trustworthy, competent institutions. But there are some brokerages which are not. There are wirehouses attached to large investment banks like e.g. JP Morgan (large, trustworthy, and competent, but not a discount brokerage), there is Robinhood (a large discount brokerage), but by far the most numerous are small boutiques which keep on keeping on.

Some of those boutiques have been known to be a bit grasping when assets under management attempt to walk out the door. They would refuse to let their customer leave. When told this was extremely improper, they whined and said it was really difficult to facilitate their customer leaving, and wouldn’t the customer prefer staying, and Cindy who can actually take care of this will be back in the office the first Tuesday after the waxing moon.

And so FINRA listened to its members (brokerages), customers, advocates, and counterparts in government, and passed a rule. Cindy can go on vacation any time she wants, but it is the brokerage and not Cindy who is responsible for outcomes, and only one outcome is acceptable: if a customer wants to move their assets out, you must let them.

The full rule is necessarily more complicated than that gloss of the intent of the rule. It’s not unknowable inside baseball; see FINRA Rule 11870. It is somewhat somnambulance inducing:

When a customer whose securities account is carried by a member (the "carrying member") wishes to transfer securities account assets, in whole or in specifically designated part, to another member (the "receiving member") and gives authorized instructions to the receiving member, both members must expedite and coordinate activities with respect to the transfer..

But, by the standards of many regulations, it is short and actionable.

Rule 11870 doesn’t itself establish a technical artifact but exists in tandem with one: ACATS.

How does one transfer securities account assets?

What is a share of stock, really? An abstracted right to ownership of a corporation? A legal contract promising the same? Some complex sociopolitical edifice where judges who are not yet born will of course automatically award surplus returns of an enterprise to an equity holder even when told not to by a nuclear-armed government? A share is all of these things.

But also, in a really important way, a share is an entry in a spreadsheet.

Whose spreadsheet? Everyones’ spreadsheets. Stock that you own, and you really do own it, exists as the superposition of several spreadsheets. Your spreadsheets, for example. Those matter. Spreadsheets (or databases, or blockchains, or… actually no probably not blockchains even cryptoenthusiast technologists don’t believe that will happen anymore) at your brokerage. And then, in a fascinating wrinkle that Matt Levine has covered many times, a spreadsheet at the Depository Trust Company, which keeps almost all the stocks and simultaneously has very probably never heard of you.

So when you move stock between brokerages, nobody needs to print out a stock certificate and courier it across Chicago, New York, or the Pacific Ocean anymore. Thank goodness. (I have no stories, but I have friends who have stories, and the Die Hard steal-the-bearer-bonds plot didn’t come from nowhere.) You just have to coordinate updating the spreadsheets. How hard could that possibly be.

ACATS is a system with technical and legal elements to it. It greatly decreases the number of moving parts required to coordinate updating spreadsheets. The pre-ACATS era meant needing to interface directly with the thousands of other brokerages in the United States. You had to care deeply about the operational differences at their firms. Sometimes your Ops and their Ops didn’t use the same version of Excel. It was anarchy. ACATS puts very diverse firms between a relatively consistent experience, while simultaneously codifying operations and reducing various forms of risk to the process. This is a very common way to create value in financial technology.

What does an ACATS request actually entail?

A customer selects a new brokerage and tells that brokerage they intend to move in assets. That brokerage, which very much wants to get those assets onto their own books (and spreadsheets, etc etc, as a necessary consequence), will assist them in operating ACATS on their behalf. The customer will very likely never care about nor understand a complex operational symphony happening in the background.

The brokerage will likely kick off a few processes which don’t necessarily happen in Internet time and aren’t strictly coupled but might feel like they are to the customer. They will ask the customer to create a new account, which (extremely relevantly) will require the brokerage running their KYC process on the customer. They will very likely ask the customer for their last brokerage statement. And they will ask the customer to authorize them moving over the previous assets.

That authorization is customarily on a very templated rather short contract / form, and the template is almost inevitably going to rhyme heavily with the template in FINRA Rule 11870. But, in one of those fascinating rabbit holes about how the world actually works, authorization does not mean performing a particular ritual on a particular written instrument. Authorization means permitting something. You can permit something with words, most typically, or even a gesture.

As a very concrete consequence of this, many of those forms will be filled out not by the customer, but by the brokerage employee working on onboarding them. This is not bad and is not fraud. That feels weird to say out loud but it is extremely important: they have authorization. They are doing the thing brokerages do, taking specific authorization for a specific action from a customer and translating it into a complex series of technical and legal processes to cause the physical result in the world that the customer wants to happen.

And so, the form that authorizes an ACATS request might have a signature blank at the bottom. Some of them are signed by the customer, in that the customer had that form physically presented to them and they affixed their signature with a pen. Some are signed by the customer via a solution like Docusign, which might or might not imply that they actually saw an image which physically resembles the form that gets signed.

And some of them are signed on the customer’s behalf. The exact form of that might look like the ASCII characters /s/ John Q. Public. Skeptical? Those are, and these words are carefully chosen to sound very rigorous, “an electronic signature in a format recognized as valid under federal law to conduct interstate commerce.” You probably assumed there would be public key encryption involved in an electronic signature and this is allowed but not required.

All of this is actually normal

And, combined with the next bit, it will give many security-minded people an aneurysm.

Brokerages frequently do not verify incoming ACATS requests

ACATS is a network of trusted peers who have contractual (and other) relationships with a central organizing entity. One thing peers agree to do is to act upon incoming requests very, very quickly by the standards of financial institutions. One thing they do to accomplish this is very surprising: most ACATS requests will cause the brokerage losing the assets to not verify with their customer that the request is authorized.

“What.”, I hear you ask. No, this is true, and this is designed, and this is normal. It only sounds batshit insane.

Let’s start with the timeline: a brokerage receiving an ACATS request must complete any investigation within three business days. FINRA doesn’t get hyperspecific on any particular thing you must or mustn’t do within those three business days, but that shot clock starts running instantly once your computer gets the message from the other computer.

“Cindy didn’t check her mail because she was on vacation” is not a valid excuse. The brokerage gets only two options: validate (agree to) the request, or take exception to the request. Validation starts a second shot clock to actually complete the spreadsheet updates. It is not quite a no-takesies-backsies decision. True trapdoors are rare in finance. But reversing it is uncommon and unfun for all parties.

You cannot take exception simply because you feel like it. You must communicate one of twelve enumerated reasons. The general flavor of them is “that account has no assets in it”, “that account number doesn’t correspond to an account that exists in this universe”, “the person who you claim has authorized this transfer doesn’t own that account”, etc.

Questions about title, about who really owns the assets in an account, sound really simple to non-specialists who are mostly familiar with individual accounts. John owns the money in John’s accounts, right?

Hah, hah, hah.

The “edge cases” cover trillions of dollars.

John and Mary just divorced and while the account records reflect John as sole owner, the divorce decree says Mary owns half of the account. Your blockchain disagrees with an Article III judge? Then your blockchain is wrong. Fix your blockchain.

These determinations are fact-intensive and, again, are not necessarily obvious to either brokerage or even to the account owner themselves. John very likely thinks he owns his own money and may even think that in a sincere and innocent fashion. The brokerage doesn’t have actual possession of a divorce decree and very likely has no actual knowledge of a contemplated divorce. It doesn’t matter.

Tick tock tick tock. FINRA doesn’t care. The orderly operation of capitalism must go on, private tragedies notwithstanding, and your brokerage must make a determination before three business days are up. Validate or take exception. Those are your only two options.

Now let’s superimpose another difficult reality on this one: brokerages will, in the ordinary course of business, spend long periods of time happily having no real communication with their customers. Oh sure, their customer will receive account statements, and they might even place trades, but the last time a human talked to another human was… early in the 2010s?

Ping, ping, incoming message from ACATS. John purportedly wants to move his assets. The shot clock has begun. You have three business days.

Does the phone number on file from 2004 still work for John? FINRA doesn’t care. Does John still use AOL? FINRA doesn’t care. Can the United States Postal Service successfully put a piece of paper in John’s hand within three business days? FINRA doesn’t care. Will John pick up the phone for an unknown caller attempting to reach him on a matter of urgency? FINRA doesn’t care. Is John in the hospital on his deathbed? FINRA doesn’t care.

Brokerages are broadly competent and they know all of this. They know they cannot, at scale, successfully verify all of the transfers for all of the customers. And so they make a business decision to not contact customers for most transfers by count and reserve extraordinary efforts for contacting only very important customers, who might be most transfers by volume of assets.

The brokerage will absolutely not phrase this as “We don’t verify outgoing transfers.” They will check, and check most diligently, that the account number claimed is the account number, that the name matches the name on file, etc. And their Operations team understands that sometimes names do not match and that is OK, and sometimes it means Nope That’s A Specially Enumerated Exception Right There.

Sometimes they will look at the signature card, because everyone enjoys live action roleplaying occasionally. If John cannot in 2024 reproduce his signature from 2004, I have an epic non-surprise for you: FINRA doesn’t care. But, hey, it is the culture of the United States that financial institutions and expert witnesses in court sometimes do forensic analysis. Do we believe it is possible to compare signatures and gain useful information? Do we believe in the tooth fairy? Yes in some ways and no in others. We take no important decisions premised mostly on belief in the tooth fairy. And, again, “/s/ John Q. Public” is a normal and accepted way to represent John’s consent to move assets.

Small account transfers with paperwork that has no glaring errors will be approved in the ordinary course. Sometimes those transfers will be fraudulent. Brokerages defrauded in this fashion will be annoyed, but not surprised, because they are competent financial institutions. They understand that the optimal amount of fraud is not zero.

So what, ultimately, is a brokerage relying upon when it sends money to /s/ John Q. Public? It is relying on chained trust in a community of practice, and on a web of contracts, and on a business decision, all at once.

And that means that if a bad guy can convince any brokerage in the U.S. that it is John, the bad guy can fairly reliably cause movement of all of John’s financial assets.

Recent developments in ACATS fraud

You can probably guess the shape of the attack.

Get a copy of John’s ID from, perhaps, a vendor specializing in “fullz” on the Dark Web. Figure out where John keeps his accounts by e.g. just guessing that it might be one of the places where 80% of Americans with assets keep their retirement accounts. Open up an app, tap tap tap, request to move “your” assets to “your” new account. And then lie about being John while telling some truths you know about John.

Now, wait five to seven business days.

Congrats, John’s assets now appear to be in “your” brokerage account. Your brokerage is in the business of giving you access to “your” money swiftly when you want it. Now would be a great time to wire it out, take it out on that debit card connected to the account, place a trade which successfully transfers value to a confederate’s account, etc etc.

Five to seven business days is much more frequent than many Americans, even many wealthy Americans, check their brokerage accounts, and so the money may be spendable before any involved human realizes it has been taken improperly.

This is, obviously, super duper illegal. But in another sense it is just business. For you, as a criminal, this is Tuesday. And for brokerages, well, capitalism hopes they catch most people trying this.

Some brokerages have not successfully caught some people trying this. That is normal and expected. Some brokerages have not successfully caught a rather large number of people trying this.

That was a bit concerning. To FINRA, for example, which has a podcast episode about how it coordinated an industry-wide fact finding process to issue a pair of Reg Notices to let the industry know about this new Wild West of criminality and how to deal with it.

Now, the most sophisticated and competent brokerages already had large security teams working on this problem. But again, some brokerages aren’t nearly as large and well-resourced as a non-specialist might suspect.

Also, how to say this delicately: competence is unevenly distributed in the world. Sometimes this is wonderful; you can pick diamonds in the rough out on the Internet, who have no institutional backing but nonetheless achieve incredible results in deep areas of human endeavor. And sometimes the odd spike is in the other direction: a regulated institution has an important function headed up by a well-credentialed, impeccably pedigreed, speaks-at-conferences, well-liked-by-colleagues-and-friends individual who capitalism should not want in the chair they currently occupy.

A digression: It is considered very impolite in the U.S. professional managerial class to observe that a particular, named professional manager is incompetent at their job. An individual who makes a habit of it will be optimized out of decisionmaking processes featuring PMC members, which is… all decisionmaking processes, effectively. That deviant is ipso facto disruptive to orderly operations and also a bit of a career risk to be in the same room with. And so, even if you know someone to be incompetent, part of being an effective PMC class member in an executive position is to learn the approved euphemisms and rituals.

Anyhow, FINRA issued Reg Notices after a drawn out and somewhat ponderous process, for institutional reasons. They contain some mitigation recommendations that rhyme with “If a customer signs up for an account with you and doesn’t know where their brokerage account currently is, and sequentially asks you to transfer accounts at each of the top 10 brokerages in the U.S., perhaps you might want to look into that.”

When you phrase it like that, it might sound obvious. But for Seeing Like A Bank reasons, the actual screen in front of the actual operations professional who is actually making a the-shot-clock-is-ticking decision on John’s accounts might not display that “John” has recently made four ACATS requests that were each rejected for non-existence. One objective of the Reg Notices is activating a ponderous machine that will eventually get a technologist deep in the bowels in the least sexy part of a brokerage to fix that screen.

Should I be terrified, Patrick?

This is all normal and working as designed! Capitalism will function on Monday pretty much like it did on Friday! Your assets are safe in an eventually consistent sort of way; your brokerage will eventually come around to agreeing with your view on the matter, regardless of what their first communication says.

If you get mugged in San Francisco, society expresses sympathy, kinda, but you are never going to see your wallet again.

Finance. Does. Not. Work. This. Way.

If your brokerage makes a mistake with your assets, and they have before and will again make many mistakes, then they will make you whole. Financial institutions have capital for a reason. There is a budget for operating losses. There is a budget for fraud losses. The aggregate expenditure of effort by society in solving this problem greatly exceeds the aggregate expenditure of effort by society in solving muggings.

If your balance suddenly goes to zero in a surprising fashion, that will be very stressful for you but they are eventually good for it, with very high probability.

Some people hire a lawyer to resolve this and it’s just about the easiest letter for a lawyer to write: Here’s my best understanding of what my client owns. You think they own nothing. Fix this immediately or tell me in writing why you have decided not to. Lawsuits subsequent to fraudulent transfers and the brokerage deciding that, on reflection, no, they did the right thing are extremely uncommon, both in absolute numbers and as a percentage of all fraudulent transfers. But the nuclear option exists for those very, very, very few customers who need it to compel action.

Should we be satisfied with this? Probably not at the current margin.

Many people who own, and depend upon, assets are not competent enough to project manage the resolution pathway here, and may (largely wrongly) assume that they have been stolen from in a durable fashion. Some might come to this (mistaken) point of view because they talked to a front line customer service representative of the brokerage who, and this is aggravating but it will happen at least once today even in a regulated institution, just makes shit up rather than reading the Emergency Escalations list printed in their cubicle. Some might come to this (mistaken) point of view because their brokerage of choice is other-than-competent at answering utterly routine inquiries and instead they get their information about capitalism from the first person who replies on Reddit, who is not necessarily the custodian of Reddit’s best answer to the question.

Another fun wonky control

Brokerages control many accounts worth $20,000 and some accounts worth millions or much more. Frequently, the formal text of the rules will treat those accounts equivalently. Go read the rule if you have any doubt; there is no This User Is Rich exception anywhere in it. Three business days, FINRA doesn’t care.

One (optional!) control that some institutions use is called a “medallion guarantee”, and it’s a fascinating combination of a physical artifact and a contractual risk transfer.

The receiving institution, who may be ultimately liable (to an action from the transferring institution, to recover the assets they already re-bought for the customer out of their risk budget) for a fraudulent transfer, can optionally require a customer to get a “medallion” issued to move the risk to another institution. Hilariously, that institution can in principle be totally uninvolved.

What is a medallion? A piece of paper that has a number on it and represents a promise. In brief form, that promise is “I, a financial institution who is absolutely good for this guarantee, warrant that I know this to be John. The paper attached to this medallion is authorized by John; he told me so. And if I was wrong, and I am not wrong, I will no-muss no-fuss reimburse you up to $_______.”

So John, when he tells a new company that he would like to move in about $1 million, might get asked to go get a $1 million medallion.

You might think this rhymes with notary services and it rhymes with insurance. All institutions involved will claim it is absolutely not notarization (a state function delegated to private individuals, who are almost universally not good for a million dollars if they screw up) and it is absolutely not insurance (a regulated industry).

Also, medallions are generally free. That surprises people, particularly people who model them as specialized insurance contracts.

The thresholds at which institutions request a medallion vary based on their own policies, but you might reasonably expect $500,000 or $1 million to be important thresholds. If you have an account with a million dollars in it, anywhere, your bank very probably loves you and wants you to be happy. Want a coffee? Stop by any time, they will happily give you a coffee. Charge for the coffee? Laughable. Oh you need an admissible proof of identity for a very wonky financial industry operations issue? Happy to oblige, sir, we are here for any of your diverse financial needs. Can I get you a coffee while you wait.

Yes, the bank is taking risk when issuing a medallion. But it’s a tiny, tiny, tiny risk from their perspective, which insulates the receiving company from a huge risk. The bank has many years of history over which they’ve become thoroughly convinced that John is John. The receiving institution has somebody claiming to be John who spent six minutes filling out an onboarding form in a mobile app. And so the largest firms in capitalism somewhere have a spreadsheet for how much they spent on medallions, much like they can (with difficulty) come up with a pretty exact number for how much they spent on toilet paper.

Toilet paper is substantially more expensive in aggregate even though no individual square of toilet paper has ever caused a $1 million wire.

And, thus, medallions. Most Americans will never see one in their lives. The typical mass affluent user is most likely to see one precisely once, right around retirement age, when e.g. moving their 401k to a new custodian.

But if you’re reading Bits about Money, you are much more likely to get asked for this quaint ritual than the population is at large, and now you know why. And perhaps you won’t be as frustrated as the typical person asked for a medallion, who fumes “Why do I have to walk into a bank just to get them to write ‘Yeah that’s John’ on a piece of paper? Everyone knows I’m John. My drivers license says I’m John. I already gave that to the brokerage. I swear, the entire financial industry is staffed by incompetents.”

A final ACATS story

Once upon a time there was a financial technologist.

He made it his routine practice to buy just a few shares of every bank he worked with. This was not to make money, it was so that he could write a letter to Investor Relations if there was ever an issue he needed to escalate out of Customer Service purgatory. Investor Relations is highly placed in the org chart of banks and does not relish telling Investors they Relate to that their princess is in another castle.

Some time later, that customer caused another financial institution to ACATS out some assets, including the shares of that bank. Unfortunately, that bank had in the interim had a spot of trouble, and their stock had ended up on a "penny stock" list.

Many large, competent financial institutions have a rule about penny stocks, and it rounds to "absolutely not." And so the financial institution objected to its customer, claiming that it could not process the ACATS request, because it contained a trivial amount of equity in a bank.

In a bit of potent irony, the objecting financial institution owned the bank it objected to holding equity in.

Sometimes, the behavior of a financial institution in the moment looks insane. Often, if you play back history, the insanity is explicable as emerging from individually reasonable actions by several separate parties with only a partial view of the facts.

And, of course, playing history forward, this was trivially resolved. Just another day at the office.

The business of wallets →

Want more essays in your inbox?

I write about the intersection of tech and finance, approximately biweekly. It's free.